Sunday, March 13, 2016

Ddos Attacks and mitigation,an account from the practical world

Before I delve into the anti DDoS methodologies involved let me explain what a DdoS is and how it can impact you-the customer.

Denial Of Service (DoS)

DoS stands for Denial of Service which involves bad guys (known as hackers) sending so much garbage data directing to  the customer's site that it's performance starts getting affected. In other words a hacker sends so much garbage requests that your product site just does not have enough resources to serve genuine users.
A DdoS stands for Distributed DoS which is basically a hacker conducting a DoS attack from multiple locations simultaneously making it even more difficult to comprehend and block such users.

How does it impact you?

It has been reported that almost 72% (yes almost three quarters) of servers serving an IT product get Ddos'ed! That means if your domain is not having a DDoS mitigation policy, your business will get be impacted. Not only do you lose money but your brand reputation also gets affected.

A Ddos atrack is when an evil user who hates see you flourish decides to send huge amount of packets to your account. This could start using up the service provider's internet bandwidth or start using resources on the server hosting your domain.

Generally tools such as Cacti (rrdtools) and Nfsen are used to measure incoming and outgoing bandwidth on and the nature of traffic we receive (is it website based or dns). There are tools which can be used to detect such attacks and take preventive action.
An example of a spike in traffic

False alarms can be difficult to identify

Server side monitoring

On the server side one can setup monitoring tools which measure crucial parameters like cpu usage, bandwidth usage, number of processes and threads running.
When an attacker sends a lot of junk data to your site, your site's network will suddenly see a spike in traffic and the bandwidth consumed increases.
Generally the NOC or SOC is quick to detect this increase via alerts or graphs.
In some complex attacks there might not be an increase in bandwidth consumed but a surge in the number of packet arriving per second dramatically increases.

Cpu and other metrics of a server being measured by Graphite

After diagnosing the incident your hosting provider can employ a BGP announcement technique to mitigate the attack.
By changing the BGP announcement the hosting provider tells the whole internet that the best route to them is via a mitigation provider (Prolexic is a popular service).

Now the entire internet thinks that your hosting is via the mitigation provider and starts sending the entire traffic to them.

Such mitigation centers have enough bandwidth and devices to analyze the traffic and apply suitable filters to allow only clean traffic to pass through, thus thwarting a DdoS attack.

For the technically savvy reader, note that even though incoming traffic comes via the mitigation provider, the outgoing traffic (traffic which leaves the server, towards a customer) goes via the normal ISP link.


Further analysis:

A DDoS attack is hugely effective when the illegitimate traffic starts to congest or choke the bandwidth. In such a scenario all the servers within that datacenter (a central place where many servers are packed) are affected. So even if you're domain is not to being attacked but someone else's domain is, than your services get impacted.
To ensure this does not happen companies usually deploy multiple links with large bandwidth.

Important Links:

1) Impact of DdoS
2) Wiki on DDoS
3) Prolexic Mitigation technique